Curated Tech Content

Whether we are publishing our own original content or helping our partners get the word out about their technologies. We bring you the latest news, market trends and product innovation.

What is the Difference Between a Data Breach and Security Incident?

There is a lack of distinction between a data breach and a security incident in the media of late. While many of the publicised security incidents are true data breaches, some are not. Data breaches are a serious type of security incident that involves the release of personally sensitive, protected and/or confidential data, such as social security numbers and personal health records. There are other types of security incidents, such as impersonation, denial of service and website defacement that don’t involve the theft of sensitive personal data and are very different in the eyes of the law and for purposes of regulatory compliance.

The fine point here is that organizations are not required to report many security incidents, but they are required by law to follow particular procedures in the case of data breaches. There is some controversy over responsibility of public disclosure of security incidents, and the SEC appears to be thinking about a disclosure framework, but it’s not a requirement…yet.

While there are prescribed processes to handle data breaches, compliance is rather complicated as they vary from state to state, and country to country. PWC has released an analysis of the Australian “Notifiable Data Breaches” legistlation, which summarises the bill and provides recommendations. This document can be found HERE.

This situation of varying and inconsistent treatment of data breaches is getting politicians involved, with the notion of federal standards on data breach notifications being debated. The standardised data breach notification laws under consideration may also put more emphasis on sensitive data encryption, security monitoring and employee training. Lawmakers might also address “the blame game”, as there appears to be quite a bit of bickering going on between banks and retailers as to who is to blame for data breaches.

Interestingly, CEOs seem more likely to lose their jobs over data breaches than other security incidents. This is not to say that other types of security incidents are not critical – it’s just that, at this point at least, companies are not forced to provide the “indecent exposure” information in some other types of security incidents – affecting C level executive jobs and stock price.

Even if you’re not a CEO, if you’re in IT or in contact with sensitive personal data, it’s one heck of a liability. And with solicitors and politicians becoming increasingly involved, it appears that the situation will only get more stressful, and perhaps include mandatory disclosure of other types of security incidents.

For more information contact ASI’s Head of Services, Daniel Johns at djohns@asi.com.au, or 0407 544 821.